Data validation is an integral part of working with forms. Not only can invalid submitted data lead to security problems, but it can also break your webpage. Today, we’ll take a look at how to remove illegal characters and validate data by using the “filter_var” function.
An example can be seen below. A user has entered the text “I don’t have one” as their home page. If this data were to be entered into a database and then later retrieved as a link, the link would be broken.
Most people tend to think of data validation as an immensely tedious process where one either:
- Compares the data they want to validate against every possible combination they can think of.
- Tries to find a golden Regular Expression that will match every possible combination.
- A combination of the two.
There are obvious problems with the above listed:
- It’s absolutely time consuming.
- There is a very high chance of error.
Fortunately, beginning with version 5.2, PHP has included a great function called filter_var that takes away the pain of data validation.
filter_var In Action
filter_var will do, both, sanitize and validate data. What’s the difference between the two?
- Sanitizing will remove any illegal character from the data.
- Validating will determine if the data is in proper form.
Note: why sanitize and not just validate? It’s possible the user accidentally typed in a wrong character or maybe it was from a bad copy and paste. By sanitizing the data, you take the responsibility of hunting for the mistake off of the user.
How to use filter_var
Using filter_var is incredibly easy. It’s simply a PHP function that takes two pieces of data:
- The variable you want to check
- The type of check to use
For example, the below code will remove all HTML tags from a string:
$string = "<h1>Hello, World!</h1>"; $new_string = filter_var($string, FILTER_SANITIZE_STRING); // $new_string is now "Hello, World!"
Here’s another example — this time more difficult. The below code will ensure the value of the variable is a valid IP address:
$ip = "127.0.0.1"; $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); // $valid_ip is TRUE $ip = "127.0.1.1.1.1"; $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); // $valid_ip is FALSE
That’s how simple it is to use filter_var. For a complete list of all the rules you can check against, see the end of this tutorial.
Sanitizing Example
Below is a quick example of sanitizing input from two fields: an email field and a home page field. This example will remove any characters that should not occur in either type of data.
<?php
if (isset($_POST['email'])) {
echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
echo "<br/><br/>";
}
if (isset($_POST['homepage'])) {
echo filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
echo "<br/><br/>";
}
?>
<form name="form1" method="post" action="form-sanitize.php">
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
Home Page: <br/>
<input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>
<br/>
<input type="submit" />
</form>
By using the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL constants definited by PHP, the guess work of knowing what characters are illegal is gone.
Validating Example
Just because the data is sanitized does not ensure that it’s properly formatted. In the example below, the data did not need to be sanitized, but it’s obvious that the user input is not an email or url.
In order to ensure the data is properly formatted, it needs to be validated.
<?php
if (isset($_POST['email'])) {
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "$email is a valid email address.<br/><br/>";
} else {
echo "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
}
}
if (isset($_POST['homepage'])) {
$homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
if (filter_var($homepage, FILTER_VALIDATE_URL)) {
echo "$homepage is a valid URL.<br/><br/>";
} else {
echo "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
}
}
?>
<form name="form1" method="post" action="form-validate.php">
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
Home Page: <br/>
<input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>
<br/>
<input type="submit" />
</form>
Now that the data has been validated, you can be sure that the information submitted is exactly what you’re looking for.
Putting It All Together: An Email Submit Form
Now that data sanitation and validation have been covered, we’ll put those skills to use with a quick email submission form. This will by no means be of production quality — for example, no form should require a home page — but it’ll work perfect for this tutorial. The form will take 4 pieces of information:
- Name
- Email Address
- Home Page
- Message
We’ll sanitize and validate against all 4 pieces of data and only send the email if they are all valid. If anything is invalid, or if any fields are blank, the form will be presented to user along with a list of items to fix. We’ll also return the sanitized data to the user in case they are unaware that certain characters are illegal.
Step 1 – Creating the Form
For the first step, simply create a form element with 5 fields: the for listed above and a submit button:
<form name="form1" method="post" action="form-email.php">
Name: <br/>
<input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
Home Page: <br/>
<input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>
Message: <br/>
<textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>
<br/>
<input type="submit" name="Submit" />
</form>
Step 2 – Determine if the Form was Submitted
You can check to see if a form was submitted by seeing if the submit button was “set”. Place the following code above your form:
if (isset($_POST['Submit'])) {
}
Step 3 – Validating the Name and Message Field
Since both the name and message fields will be sanitized and validated the same, we’ll do them together. First, check to see if either field is blank by doing the following:
if ($_POST['name'] == "") if ($_POST['message'] == "")
Next, sanitize them with the FILTER_SANITIZE_STRING constant
$_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING); $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
Finally, check to make sure that the two fields still are not blank. This is to ensure that after removing all illegal characters, you are not left with a blank field:
if ($_POST['name'] == "") if ($_POST['message'] == "")
We won’t do any validation on these two fields simply because there is no absolute way to validate against a Name or arbitrary message.
The final code looks like this:
if ($_POST['name'] != "") {
$_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
if ($_POST['name'] == "") {
$errors .= 'Please enter a valid name.<br/><br/>';
}
} else {
$errors .= 'Please enter your name.<br/>';
}
if ($_POST['message'] != "") {
$_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
if ($_POST['message'] == "") {
$errors .= 'Please enter a message to send.<br/>';
}
} else {
$errors .= 'Please enter a message to send.<br/>';
}
Step 4 — Validate the Email Field
The email field will be sanitized and validated just as it was earlier in the tutorial.
First, check to make sure it is not blank:
if ($_POST['email'] != "")
Next, sanitize it:
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
Finally, validate it as a true email address:
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
The final code looks like this:
if ($_POST['email'] != "") {
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
}
} else {
$errors .= 'Please enter your email address.<br/>';
}
Step 5 — Validate the Home Page Field
Again, the home page field will be sanitized and validated the same way as earlier in the tutorial.
First, make sure it is not blank:
if ($_POST['homepage'] != "")
Next, sanitize it and remove any illegal characters:
$homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL)
Finally, validate it to make sure it’s a true URL:
if (!filter_var($homepage, FILTER_VALIDATE_URL))
The final code looks like this:
if ($_POST['homepage'] != "") {
$homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
if (!filter_var($homepage, FILTER_VALIDATE_URL)) {
$errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
}
} else {
$errors .= 'Please enter your home page.<br/>';
}
Step 6 — Check for Errors and Send the Message
Now that we’ve gone through all fields, it’s time to either report the errors or send the message. Start off by assuming there were no errors:
if (!$errors) {
Then build the email message:
$mail_to = 'me@somewhere.com'; $subject = 'New Mail from Form Submission'; $message = 'From: ' . $_POST['name'] . "\n"; $message .= 'Email: ' . $_POST['email'] . "\n"; $message .= 'Homepage: ' . $_POST['homepage'] . "\n"; $message .= "Message:\n" . $_POST['message'] . "\n\n";
And finally, send the message:
mail($to, $subject, $message);
However, if there were any errors, report them and have the user try again:
echo '<div style="color: red">' . $errors . '<br/></div>';
The completed project looks like this:
<?php
if (isset($_POST['Submit'])) {
if ($_POST['name'] != "") {
$_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
if ($_POST['name'] == "") {
$errors .= 'Please enter a valid name.<br/><br/>';
}
} else {
$errors .= 'Please enter your name.<br/>';
}
if ($_POST['email'] != "") {
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
}
} else {
$errors .= 'Please enter your email address.<br/>';
}
if ($_POST['homepage'] != "") {
$homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
if (!filter_var($homepage, FILTER_VALIDATE_URL)) {
$errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
}
} else {
$errors .= 'Please enter your home page.<br/>';
}
if ($_POST['message'] != "") {
$_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
if ($_POST['message'] == "") {
$errors .= 'Please enter a message to send.<br/>';
}
} else {
$errors .= 'Please enter a message to send.<br/>';
}
if (!$errors) {
$mail_to = 'me@somewhere.com';
$subject = 'New Mail from Form Submission';
$message = 'From: ' . $_POST['name'] . "\n";
$message .= 'Email: ' . $_POST['email'] . "\n";
$message .= 'Homepage: ' . $_POST['homepage'] . "\n";
$message .= "Message:\n" . $_POST['message'] . "\n\n";
mail($to, $subject, $message);
echo "Thank you for your email!<br/><br/>";
} else {
echo '<div style="color: red">' . $errors . '<br/></div>';
}
}
?>
<form name="form1" method="post" action="form-email.php">
Name: <br/>
<input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
Home Page: <br/>
<input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>
Message: <br/>
<textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>
<br/>
<input type="submit" name="Submit" />
</form>
Summary
I hope reading this tutorial gave you a good introduction to PHP’s new data filtering features. There are still many more functions and rules that were not covered, so if you’re interested in learning more, please see the Data Filtering section in the PHP manual.
- Subscribe to the NETTUTS RSS Feed for more daily web development tuts and articles.
Enjoyed this Post?
Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!
By Joe Topjian
Join our newsletter!
Create a Tutorial, Get Paid!
Have something to teach the world? Want to earn money doing it? Tutorials, screencasts, and articles published here on Nettuts+ are largely contributed by readers just like you! We'll pay you great money for good content. Find Out More
Good Stuff
thanks !! very helpful plugin
Thanks for nice posting and usefull message
function bbcode($s) {
static $bbcode = array(
‘#\[(h[1-6])\](.+?)\[/\1\]#is’ => ‘\2′,
‘#\[p\](.+?)\[/p\]#is’ => ‘\1′,
‘#\[b\](.+?)\[/b\]#is’ => ‘\1‘,
‘#\[i\](.+?)\[/i\]#is’ => ‘\1‘,
‘#\[u\](.+?)\[/u\]#is’ => ‘\1′,
‘#\(.+?)\[/code\]#is’ => ‘
\1‘,‘#\[(url)\=(.+?)\](.*?)\[/\1\]#is’ => ‘\3‘,
‘#\[(url)\](.*?)\[/\1\]#is’ => ‘\2‘,
‘#\[(email)\=(.+?)\](.*?)\[/\1\]#is’ => ‘\3‘,
‘#\[(email)\](.*?)\[/\1\]#is’ => ‘\2‘,
‘#\[(img)\](.*?)\[/\1\]#is’ => ”,
‘#\[br\]#is’ => ”,
);
$r = preg_replace(array_keys($bbcode), array_values($bbcode), $s);
return $r;
}
woows. Thanks
nice tutorials will definitely have a go :)
very helpful and well taught
Is it possible to hack a web form from the message box. i notice it was not validated, does this not also pose a security risk (sql injection etc)?
Thanks for info. very helpfull
thanks! this is indeed a very good tutorial.
Thanks! Indeed, this is a very good tutorial.
@tamo
No, he didn’t validate it because as he said, there is no way to validate a text string. He did sanitize the data, however, and that is what protects against SQL injection attacks and illegal characters. All data in his form was sanitized, not just the message.
Hi,
An error in variable name ;¬)
//mail($to, $subject, $message);
48. mail($mail_to, $subject, $message);
I think you had a wonder knowledge in programming language. May be you can help me lot of people with your programs who are not familiar with this one… think it of again. Thanks for the post
thanks god error
Thanks for info. very helpfull
Good tutorial!!!!
But i guess we need to consider the version of php as the above function are available for PHP 5 >= 5.2.0
Hi..,
This is a nice script. Its easy to understand and help to me..
you done a good job. :-)
Thanks a lot..!
Thanks heaps! This was really well laid out and easy to understand.
Nice tutorial, code and example.
Glad my webhost has the latest version of PHP to support these more contemporary filters
and validations.
Thankyou for posting this.
TAF
Wow, this was so easy to add to my forms, thank you so much!
Thanks,,,, really helped a lot, I was considering to code my own function to remove illegal characters but this will do :)
Thanks,,,, really helped a lot, I was considering to code my own function to remove illegal characters but this will do :)
Nice tutorial nvn know php 5 come with this new functions but I prefer to use php empty($var) to check for blank field.
nice tutorial never know php 5 come with this new functions but I prefer to check for empty string using empty($var) function.
very usuful and helpful
keep it up
thanks
It seems in the final example, that the mail sanitizing fails.
if ($_POST['email'] != “”) {
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors .= “$email is NOT a valid email address.”;
}
} else {
$errors .= ‘Please enter your email address.’;
}
Great work. But I didnt see the php filters on any projects, like wordpress.
Good post :). This is just an teaser of what it can do! Amen to good old regex!
thanks for the awesome article!
I started implementing the above validation in my code, but then stumbled onto a plug and play type of validation class at http://github.com/Wixel/GUMP – this was immensely helpful.
Someone else might find it useful.
i m finding Browse file system any Programmer Help me ? ? ?
Thanks for the help! Much appreciated!!!
is ” filter_var ” better to use over ” preg_match ” for email and url validation,i mean are the equivalent or which one is better ?
@Aditya Verma,
2 down vote accepted
Switching over to use filter_var() would be a great idea actually. You wouldn’t be able to use your existing regular expressions, however you WOULD be able to eliminate them entirely. Often, the regex we use in our apps are simply used for simple validations and filtering, which is exactly what the filter_var() function is intended for.
For example, in your code, you may already have:
if (eregi(‘\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b’, $_POST['email'])) {
echo “valid”;
}
This could be replaced by the prettier version (not relying on custom regular expressions):
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
echo “valid”;
}
The filter_var() function also has the ability to sanitize out characters which aren’t needed by the particular data you’re examining, and would return the cleaned string (instead of a boolean):
$clean = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
This kind of usage with filter_var() would replace ereg_replace() type functions.
You may see also a another one article on Sanitize and Validate Filter in PHP, for more details you may check out the following link…..
http://www.mindstick.com/Articles/eb601128-30ec-4720-9323-ba6cc25138c0/?PHP%20Filter
Thanks !!!
How do you get the errors to print on the form page?
The filter_var() function also has the ability to sanitize out characters which aren’t needed by the particular data you’re examining, and would return the cleaned string (instead of a boolean):
$clean = filter_var($_POS
very nice tutorial..
Why would you want to sanitize an email form field and then validate it? Isn’t that just a waste of time? If the field doesn’t validate as an valid email address, you could right away tell the user to enter an valid address.
Also in the book PHP Object Oriented Solutions David Powers says that applying more than one filter to a variable can have umpredictable results. Not sure thought if it applies to this tutorial because here is a sanitized POST field assigned to a different variable (not two filters assignet to the same variable).
an outstanding tut, good work amigo and thank you!
Really useful as usual, u do guys. hats off to u?
If any one interested in attending advanced trainig of PHP in delhi or from any part of country can visit this page.
http://www.admecindia.co.in/php-master-course.html#php-master
Thanks